npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (333) hide show

package/package.json +90 -0
package/src/audit/__tests__/audit.integration.ts +328 -0
package/src/audit/constants.ts +7 -0
package/src/audit/feature.ts +23 -0
package/src/audit/handlers/list.query.ts +98 -0
package/src/audit/index.ts +2 -0
package/src/auth-email-password/__tests__/account-lockout-no-redis.integration.ts +149 -0
package/src/auth-email-password/__tests__/account-lockout.integration.ts +308 -0
package/src/auth-email-password/__tests__/auth-claims.integration.ts +512 -0
package/src/auth-email-password/__tests__/auth.integration.ts +610 -0
package/src/auth-email-password/__tests__/confirm-token-flow.test.ts +67 -0
package/src/auth-email-password/__tests__/email-templates.test.ts +106 -0
package/src/auth-email-password/__tests__/email-verification.integration.ts +327 -0
package/src/auth-email-password/__tests__/identity-v3-hash.test.ts +174 -0
package/src/auth-email-password/__tests__/identity-v3-login.integration.ts +150 -0
package/src/auth-email-password/__tests__/invite-flow.integration.ts +458 -0
package/src/auth-email-password/__tests__/multi-roles.integration.ts +256 -0
package/src/auth-email-password/__tests__/password-reset.integration.ts +346 -0
package/src/auth-email-password/__tests__/public-routes-rate-limit.integration.ts +144 -0
package/src/auth-email-password/__tests__/seed-admin.integration.ts +176 -0
package/src/auth-email-password/__tests__/session-callbacks.integration.ts +310 -0
package/src/auth-email-password/__tests__/session-strict-mode.integration.ts +101 -0
package/src/auth-email-password/__tests__/signed-token.test.ts +78 -0
package/src/auth-email-password/__tests__/signup-flow.integration.ts +259 -0
package/src/auth-email-password/auth-user-row.ts +41 -0
package/src/auth-email-password/constants.ts +101 -0
package/src/auth-email-password/email-templates.ts +283 -0
package/src/auth-email-password/feature.ts +140 -0
package/src/auth-email-password/handlers/change-password.write.ts +58 -0
package/src/auth-email-password/handlers/confirm-token-flow.ts +191 -0
package/src/auth-email-password/handlers/invite-accept-with-login.write.ts +203 -0
package/src/auth-email-password/handlers/invite-accept.write.ts +189 -0
package/src/auth-email-password/handlers/invite-create.write.ts +145 -0
package/src/auth-email-password/handlers/invite-signup-complete.write.ts +192 -0
package/src/auth-email-password/handlers/login.write.ts +208 -0
package/src/auth-email-password/handlers/logout.write.ts +12 -0
package/src/auth-email-password/handlers/request-email-verification.write.ts +29 -0
package/src/auth-email-password/handlers/request-password-reset.write.ts +31 -0
package/src/auth-email-password/handlers/reset-password.write.ts +61 -0
package/src/auth-email-password/handlers/signup-confirm.write.ts +170 -0
package/src/auth-email-password/handlers/signup-request.write.ts +104 -0
package/src/auth-email-password/handlers/token-request-handler.ts +114 -0
package/src/auth-email-password/handlers/verify-email.write.ts +62 -0
package/src/auth-email-password/i18n.ts +211 -0
package/src/auth-email-password/identity-v3-hash.ts +97 -0
package/src/auth-email-password/index.ts +35 -0
package/src/auth-email-password/invite-token-store.ts +92 -0
package/src/auth-email-password/lockout-store.ts +118 -0
package/src/auth-email-password/password-hashing.ts +43 -0
package/src/auth-email-password/reset-token.ts +28 -0
package/src/auth-email-password/seeding.ts +183 -0
package/src/auth-email-password/signed-token.ts +85 -0
package/src/auth-email-password/signup-token-store.ts +104 -0
package/src/auth-email-password/stream-tenant.ts +31 -0
package/src/auth-email-password/testing.ts +5 -0
package/src/auth-email-password/token-burn-store.ts +57 -0
package/src/auth-email-password/verification-token.ts +27 -0
package/src/auth-email-password/web/__tests__/auth-gate.test.tsx +51 -0
package/src/auth-email-password/web/__tests__/forgot-password-screen.test.tsx +80 -0
package/src/auth-email-password/web/__tests__/login-screen.test.tsx +94 -0
package/src/auth-email-password/web/__tests__/reset-password-screen.test.tsx +108 -0
package/src/auth-email-password/web/__tests__/session-roles.test.ts +54 -0
package/src/auth-email-password/web/__tests__/tenant-switcher.test.tsx +100 -0
package/src/auth-email-password/web/__tests__/test-utils.tsx +73 -0
package/src/auth-email-password/web/__tests__/user-menu.test.tsx +55 -0
package/src/auth-email-password/web/__tests__/verify-email-screen.test.tsx +59 -0
package/src/auth-email-password/web/auth-client.ts +350 -0
package/src/auth-email-password/web/auth-form-primitives.tsx +70 -0
package/src/auth-email-password/web/auth-gate.tsx +33 -0
package/src/auth-email-password/web/client-plugin.ts +48 -0
package/src/auth-email-password/web/default-topbar-actions.tsx +47 -0
package/src/auth-email-password/web/forgot-password-screen.tsx +110 -0
package/src/auth-email-password/web/index.ts +56 -0
package/src/auth-email-password/web/invite-accept-screen.tsx +220 -0
package/src/auth-email-password/web/login-screen.tsx +150 -0
package/src/auth-email-password/web/reset-password-screen.tsx +152 -0
package/src/auth-email-password/web/session.tsx +171 -0
package/src/auth-email-password/web/signup-complete-screen.tsx +150 -0
package/src/auth-email-password/web/signup-screen.tsx +130 -0
package/src/auth-email-password/web/tenant-switcher.tsx +116 -0
package/src/auth-email-password/web/use-shell-user.ts +34 -0
package/src/auth-email-password/web/user-menu.tsx +89 -0
package/src/auth-email-password/web/verify-email-screen.tsx +102 -0
package/src/billing-foundation/__tests__/billing-foundation.integration.ts +568 -0
package/src/billing-foundation/__tests__/feature.test.ts +110 -0
package/src/billing-foundation/__tests__/webhook-handler.test.ts +199 -0
package/src/billing-foundation/aggregate-id.ts +21 -0
package/src/billing-foundation/constants.ts +70 -0
package/src/billing-foundation/entities.ts +50 -0
package/src/billing-foundation/events.ts +71 -0
package/src/billing-foundation/feature.ts +122 -0
package/src/billing-foundation/get-subscription-for-tenant.ts +39 -0
package/src/billing-foundation/handlers/create-checkout-session.write.ts +79 -0
package/src/billing-foundation/handlers/create-portal-session.write.ts +73 -0
package/src/billing-foundation/handlers/list-subscriptions.query.ts +20 -0
package/src/billing-foundation/handlers/process-event.write.ts +160 -0
package/src/billing-foundation/index.ts +42 -0
package/src/billing-foundation/projection.ts +135 -0
package/src/billing-foundation/types.ts +157 -0
package/src/billing-foundation/webhook-handler.ts +184 -0
package/src/cap-counter/__tests__/cap-counter.integration.ts +566 -0
package/src/cap-counter/__tests__/enforce-cap.test.ts +422 -0
package/src/cap-counter/__tests__/with-cap-enforcement.integration.ts +265 -0
package/src/cap-counter/aggregate-id.ts +61 -0
package/src/cap-counter/constants.ts +32 -0
package/src/cap-counter/enforce-cap.ts +404 -0
package/src/cap-counter/entity.ts +48 -0
package/src/cap-counter/feature.ts +90 -0
package/src/cap-counter/handlers/get-counter.query.ts +43 -0
package/src/cap-counter/handlers/increment-rolling.write.ts +79 -0
package/src/cap-counter/handlers/increment.write.ts +92 -0
package/src/cap-counter/handlers/mark-soft-warned.write.ts +57 -0
package/src/cap-counter/index.ts +34 -0
package/src/cap-counter/with-cap-enforcement.ts +179 -0
package/src/channel-email/email-channel.ts +48 -0
package/src/channel-email/feature.ts +15 -0
package/src/channel-email/index.ts +4 -0
package/src/channel-email/smtp-transport.ts +65 -0
package/src/channel-email/types.ts +34 -0
package/src/channel-in-app/constants.ts +11 -0
package/src/channel-in-app/feature.ts +30 -0
package/src/channel-in-app/handlers/inbox.query.ts +28 -0
package/src/channel-in-app/handlers/mark-all-read.write.ts +21 -0
package/src/channel-in-app/handlers/mark-read.write.ts +32 -0
package/src/channel-in-app/handlers/unread-count.query.ts +20 -0
package/src/channel-in-app/in-app-channel.ts +44 -0
package/src/channel-in-app/index.ts +4 -0
package/src/channel-in-app/tables.ts +22 -0
package/src/channel-push/feature.ts +15 -0
package/src/channel-push/index.ts +3 -0
package/src/channel-push/push-channel.ts +33 -0
package/src/channel-push/types.ts +22 -0
package/src/config/__tests__/app-overrides.test.ts +118 -0
package/src/config/__tests__/config.integration.ts +1246 -0
package/src/config/constants.ts +23 -0
package/src/config/feature.ts +117 -0
package/src/config/handlers/__tests__/prepare-config-write.test.ts +209 -0
package/src/config/handlers/reset.write.ts +45 -0
package/src/config/handlers/schema.query.ts +22 -0
package/src/config/handlers/set.write.ts +93 -0
package/src/config/handlers/values.query.ts +43 -0
package/src/config/index.ts +15 -0
package/src/config/resolver.ts +283 -0
package/src/config/table.ts +35 -0
package/src/config/write-helpers.ts +268 -0
package/src/delivery/__tests__/delivery-events.integration.ts +166 -0
package/src/delivery/__tests__/delivery.integration.ts +1405 -0
package/src/delivery/constants.ts +33 -0
package/src/delivery/delivery-service.ts +489 -0
package/src/delivery/events.ts +18 -0
package/src/delivery/feature.ts +70 -0
package/src/delivery/handlers/log.query.ts +21 -0
package/src/delivery/handlers/preferences.query.ts +18 -0
package/src/delivery/handlers/set-preference.write.ts +28 -0
package/src/delivery/index.ts +35 -0
package/src/delivery/tables.ts +74 -0
package/src/delivery/testing.ts +47 -0
package/src/delivery/types.ts +71 -0
package/src/delivery/unsubscribe.ts +99 -0
package/src/delivery/upsert-preference.ts +145 -0
package/src/feature-toggles/__tests__/feature-toggles.integration.ts +687 -0
package/src/feature-toggles/constants.ts +20 -0
package/src/feature-toggles/events.ts +18 -0
package/src/feature-toggles/feature.ts +98 -0
package/src/feature-toggles/global-feature-state-table.ts +28 -0
package/src/feature-toggles/handlers/list.query.ts +26 -0
package/src/feature-toggles/handlers/registered.query.ts +56 -0
package/src/feature-toggles/handlers/set.write.ts +158 -0
package/src/feature-toggles/index.ts +9 -0
package/src/feature-toggles/toggle-runtime.ts +73 -0
package/src/file-foundation/__tests__/feature.test.ts +35 -0
package/src/file-foundation/__tests__/file-foundation.integration.ts +235 -0
package/src/file-foundation/feature.ts +123 -0
package/src/file-foundation/index.ts +7 -0
package/src/file-provider-inmemory/__tests__/feature.test.ts +35 -0
package/src/file-provider-inmemory/feature.ts +73 -0
package/src/file-provider-inmemory/index.ts +3 -0
package/src/file-provider-s3/__tests__/feature.test.ts +54 -0
package/src/file-provider-s3/feature.ts +169 -0
package/src/file-provider-s3/index.ts +3 -0
package/src/files-provider-s3/__tests__/env-helper.test.ts +161 -0
package/src/files-provider-s3/__tests__/s3-provider.integration.ts +134 -0
package/src/files-provider-s3/__tests__/s3-provider.test.ts +36 -0
package/src/files-provider-s3/env-helper.ts +49 -0
package/src/files-provider-s3/index.ts +3 -0
package/src/files-provider-s3/s3-provider.ts +114 -0
package/src/foundation-shared/config-helpers.ts +67 -0
package/src/foundation-shared/index.ts +4 -0
package/src/jobs/__tests__/job-system-user.integration.ts +194 -0
package/src/jobs/__tests__/jobs-events.integration.ts +143 -0
package/src/jobs/__tests__/jobs-feature.integration.ts +342 -0
package/src/jobs/constants.ts +21 -0
package/src/jobs/events.ts +39 -0
package/src/jobs/feature.ts +150 -0
package/src/jobs/handlers/detail.query.ts +30 -0
package/src/jobs/handlers/list.query.ts +36 -0
package/src/jobs/handlers/retry.write.ts +69 -0
package/src/jobs/handlers/trigger.write.ts +39 -0
package/src/jobs/index.ts +5 -0
package/src/jobs/job-run-logger.ts +213 -0
package/src/jobs/job-run-table.ts +55 -0
package/src/legal-pages/README.md +195 -0
package/src/legal-pages/__tests__/legal-pages.integration.ts +361 -0
package/src/legal-pages/constants.ts +36 -0
package/src/legal-pages/feature.ts +187 -0
package/src/legal-pages/index.ts +13 -0
package/src/legal-pages/markdown.ts +69 -0
package/src/mail-foundation/__tests__/feature.test.ts +46 -0
package/src/mail-foundation/__tests__/mail-foundation.integration.ts +247 -0
package/src/mail-foundation/feature.ts +160 -0
package/src/mail-foundation/index.ts +14 -0
package/src/mail-transport-inmemory/__tests__/feature.test.ts +37 -0
package/src/mail-transport-inmemory/feature.ts +90 -0
package/src/mail-transport-inmemory/index.ts +3 -0
package/src/mail-transport-smtp/__tests__/feature.test.ts +61 -0
package/src/mail-transport-smtp/feature.ts +182 -0
package/src/mail-transport-smtp/index.ts +3 -0
package/src/rate-limiting/__tests__/rate-limiting.integration.ts +84 -0
package/src/rate-limiting/constants.ts +9 -0
package/src/rate-limiting/feature.ts +16 -0
package/src/rate-limiting/handlers/status.query.ts +52 -0
package/src/rate-limiting/index.ts +2 -0
package/src/renderer-simple/__tests__/simple-renderer.test.ts +97 -0
package/src/renderer-simple/feature.ts +12 -0
package/src/renderer-simple/index.ts +2 -0
package/src/renderer-simple/simple-renderer.ts +72 -0
package/src/secrets/__tests__/rotate.integration.ts +176 -0
package/src/secrets/__tests__/secrets-events.integration.ts +125 -0
package/src/secrets/__tests__/secrets.integration.ts +118 -0
package/src/secrets/feature.ts +84 -0
package/src/secrets/handlers/delete.write.ts +20 -0
package/src/secrets/handlers/list.query.ts +38 -0
package/src/secrets/handlers/rotate.job.ts +193 -0
package/src/secrets/handlers/set.write.ts +50 -0
package/src/secrets/index.ts +16 -0
package/src/secrets/secrets-context.ts +296 -0
package/src/secrets/table.ts +68 -0
package/src/sessions/__tests__/cleanup.integration.ts +175 -0
package/src/sessions/__tests__/password-auto-revoke.integration.ts +202 -0
package/src/sessions/__tests__/sessions.integration.ts +472 -0
package/src/sessions/__tests__/test-helpers.ts +66 -0
package/src/sessions/constants.ts +43 -0
package/src/sessions/feature.ts +84 -0
package/src/sessions/handlers/cleanup.job.ts +109 -0
package/src/sessions/handlers/list.query.ts +35 -0
package/src/sessions/handlers/mine.query.ts +37 -0
package/src/sessions/handlers/revoke-all-others.write.ts +42 -0
package/src/sessions/handlers/revoke.write.ts +76 -0
package/src/sessions/index.ts +17 -0
package/src/sessions/schema/index.ts +5 -0
package/src/sessions/schema/user-session.ts +67 -0
package/src/sessions/session-callbacks.ts +110 -0
package/src/sessions/testing.ts +42 -0
package/src/subscription-mollie/__tests__/feature.test.ts +106 -0
package/src/subscription-mollie/__tests__/mollie-foundation.integration.ts +421 -0
package/src/subscription-mollie/__tests__/verify-webhook.test.ts +388 -0
package/src/subscription-mollie/constants.ts +33 -0
package/src/subscription-mollie/feature.ts +144 -0
package/src/subscription-mollie/index.ts +13 -0
package/src/subscription-mollie/plugin-methods.ts +79 -0
package/src/subscription-mollie/verify-webhook.ts +244 -0
package/src/subscription-stripe/__tests__/feature.test.ts +98 -0
package/src/subscription-stripe/__tests__/plugin-methods.test.ts +161 -0
package/src/subscription-stripe/__tests__/stripe-foundation.integration.ts +315 -0
package/src/subscription-stripe/__tests__/verify-webhook.test.ts +306 -0
package/src/subscription-stripe/constants.ts +20 -0
package/src/subscription-stripe/feature.ts +120 -0
package/src/subscription-stripe/index.ts +14 -0
package/src/subscription-stripe/plugin-methods.ts +91 -0
package/src/subscription-stripe/verify-webhook.ts +235 -0
package/src/tenant/__tests__/multi-tenant.integration.ts +278 -0
package/src/tenant/__tests__/seed-testing.integration.ts +229 -0
package/src/tenant/__tests__/tenant.integration.ts +347 -0
package/src/tenant/command-schemas.ts +37 -0
package/src/tenant/constants.ts +37 -0
package/src/tenant/feature.ts +109 -0
package/src/tenant/handlers/active-tenant-ids.query.ts +19 -0
package/src/tenant/handlers/add-member.write.ts +53 -0
package/src/tenant/handlers/cancel-invitation.write.ts +87 -0
package/src/tenant/handlers/create.write.ts +21 -0
package/src/tenant/handlers/disable.write.ts +18 -0
package/src/tenant/handlers/invitations.query.ts +31 -0
package/src/tenant/handlers/list.query.ts +17 -0
package/src/tenant/handlers/me.query.ts +17 -0
package/src/tenant/handlers/members.query.ts +22 -0
package/src/tenant/handlers/memberships.query.ts +24 -0
package/src/tenant/handlers/remove-member.write.ts +40 -0
package/src/tenant/handlers/resolve-user-ids.query.ts +43 -0
package/src/tenant/handlers/update-member-roles.write.ts +54 -0
package/src/tenant/handlers/update.write.ts +20 -0
package/src/tenant/index.ts +12 -0
package/src/tenant/invitation-table.ts +93 -0
package/src/tenant/membership-table.ts +35 -0
package/src/tenant/schema/index.ts +5 -0
package/src/tenant/schema/tenant.ts +27 -0
package/src/tenant/seeding.ts +155 -0
package/src/tenant/testing.ts +8 -0
package/src/text-content/README.md +190 -0
package/src/text-content/__tests__/text-content.integration.ts +415 -0
package/src/text-content/api.ts +92 -0
package/src/text-content/constants.ts +19 -0
package/src/text-content/feature.ts +29 -0
package/src/text-content/handlers/by-slug.query.ts +55 -0
package/src/text-content/handlers/set.write.ts +118 -0
package/src/text-content/index.ts +14 -0
package/src/text-content/seeding.ts +91 -0
package/src/text-content/table.ts +45 -0
package/src/tier-engine/__tests__/compose-app.test.ts +182 -0
package/src/tier-engine/__tests__/drift.test.ts +42 -0
package/src/tier-engine/__tests__/tier-engine.integration.ts +241 -0
package/src/tier-engine/aggregate-id.ts +27 -0
package/src/tier-engine/compose-app.ts +150 -0
package/src/tier-engine/constants.ts +15 -0
package/src/tier-engine/entity.ts +30 -0
package/src/tier-engine/feature.ts +72 -0
package/src/tier-engine/handlers/active-tier.query.ts +23 -0
package/src/tier-engine/index.ts +22 -0
package/src/user/__tests__/seed-testing.integration.ts +127 -0
package/src/user/__tests__/user.integration.ts +198 -0
package/src/user/command-schemas.ts +15 -0
package/src/user/constants.ts +23 -0
package/src/user/feature.ts +32 -0
package/src/user/handlers/create.write.ts +54 -0
package/src/user/handlers/detail.query.ts +9 -0
package/src/user/handlers/find-for-auth.query.ts +38 -0
package/src/user/handlers/list.query.ts +8 -0
package/src/user/handlers/me.query.ts +15 -0
package/src/user/handlers/update.write.ts +54 -0
package/src/user/index.ts +4 -0
package/src/user/schema/index.ts +5 -0
package/src/user/schema/user.ts +69 -0
package/src/user/seeding.ts +93 -0
package/src/user/testing.ts +5 -0

package/src/feature-toggles/constants.ts ADDED Viewed

@@ -0,0 +1,20 @@
+// Fully-qualified event name for feature-toggle changes. Kept as a constant
+// so write-handler + tests reference one source.
+export const FEATURE_TOGGLE_SET_EVENT_NAME = "feature-toggles:event:toggle-set";
+// Aggregate type for toggle-set events. Shares the feature name to keep the
+// events-table grep-friendly: every row belonging to this feature carries
+// "feature-toggles" in its aggregate_type column.
+export const FEATURE_TOGGLE_AGGREGATE_TYPE = "feature-toggles";
+// Error reasons surfaced from feature-toggle handlers. Scoped to the
+// feature's namespace per the framework's reason-convention.
+export const FeatureToggleErrors = {
+  // set-handler attempted to toggle a feature that didn't declare
+  // r.toggleable(). The dispatcher's gate ignores such features anyway,
+  // but writing a row for them would create the illusion of configurability.
+  notToggleable: "feature_not_toggleable",
+  // set-handler attempted to toggle a feature name that isn't registered.
+  // Prevents typos from silently piling up orphan rows.
+  unknownFeature: "unknown_feature",
+} as const;

package/src/feature-toggles/events.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { z } from "zod";
+// Toggle-change event payload.
+//
+// Contract: every set-operation produces exactly one event, even when
+// enabled === previousEnabled. Redundant writes are legal (confirms the
+// current state, useful for ops "make sure feature X is on"), so consumers
+// that filter for actual transitions must compare enabled !== previousEnabled
+// themselves. `previousEnabled` is null when this is the first time the
+// feature is being toggled (no row existed).
+export const featureToggleSetSchema = z.object({
+  featureName: z.string().min(1),
+  enabled: z.boolean(),
+  previousEnabled: z.boolean().nullable(),
+  updatedBy: z.string(),
+});
+export type FeatureToggleSetPayload = z.infer<typeof featureToggleSetSchema>;

package/src/feature-toggles/feature.ts ADDED Viewed

@@ -0,0 +1,98 @@
+import { defineFeature, type FeatureDefinition } from "@cosmicdrift/kumiko-framework/engine";
+import { FEATURE_TOGGLE_SET_EVENT_NAME } from "./constants";
+import { featureToggleSetSchema } from "./events";
+import { listQuery } from "./handlers/list.query";
+import { registeredQuery } from "./handlers/registered.query";
+import { createSetWriteHandler } from "./handlers/set.write";
+import type { GlobalFeatureToggleRuntime } from "./toggle-runtime";
+// IMPORTANT: feature-toggles itself is NOT r.toggleable. Making it
+// toggleable would brick the system — once disabled, no handler of this
+// feature is reachable to turn it back on. The boot-validator won't catch
+// this (it only warns about dependency shapes), so the guarantee lives in
+// this file: do not add r.toggleable() here.
+export type FeatureTogglesOptions = {
+  // Accessor for the in-memory snapshot the dispatcher gate reads. Must
+  // return a resolved runtime by the time the feature's set-handler is
+  // called — NOT by the time the feature is registered. This matters
+  // because createFeatureToggleRuntime needs the registry that
+  // setupTestStack / buildServer builds from the feature list, so the
+  // runtime and the feature are chicken-and-egg at wire-up time. Passing
+  // an accessor (vs the runtime directly) lets the caller close over a
+  // mutable holder.
+  //
+  // Production setup: resolve the runtime after buildServer returns, then
+  // pass `() => runtime`. For tests, use createLateBoundHolder + .get().
+  readonly getRuntime: () => GlobalFeatureToggleRuntime;
+};
+export function createFeatureTogglesFeature(options: FeatureTogglesOptions): FeatureDefinition {
+  return defineFeature("feature-toggles", (r) => {
+    r.systemScope();
+    // Toggle-change domain event. The event ends up in the events-table
+    // alongside every other write — audit.list picks it up automatically,
+    // no dedicated projection needed. Qualified name after prefixing:
+    // "feature-toggles:event:toggle-set" (see constants.FEATURE_TOGGLE_SET_EVENT_NAME).
+    r.defineEvent("toggle-set", featureToggleSetSchema);
+    const handlers = {
+      set: r.writeHandler(createSetWriteHandler(options.getRuntime)),
+    };
+    const queries = {
+      list: r.queryHandler(listQuery),
+      registered: r.queryHandler(registeredQuery),
+    };
+    // toggle-cache-sync — multi-instance snapshot propagation. Every
+    // API/worker instance runs its own dispatcher cursor on this MSP
+    // (delivery: "per-instance") and converges its in-memory snapshot on
+    // every toggle-set event it observes. Named "cache-sync" (not
+    // "projection" or "audit") because it's side-effect-only
+    // infrastructure — the framework's boot-validator also rejects
+    // per-instance MSPs that carry a `table`.
+    //
+    // Why this is correct alongside the set-handler's own `runtime.apply`:
+    //   - local apply = immediate response-latency optimization so the
+    //     next request on the same instance sees the flip without a
+    //     dispatcher-tick round-trip
+    //   - MSP = multi-instance propagation + crash-recovery. If a process
+    //     crashes between appendEvent (persisted) and the local apply
+    //     (volatile), the MSP rebuilds the snapshot on restart; if
+    //     instance B never ran the write, the MSP is how it learns. Both
+    //     paths are idempotent — apply is Map.set, replay on boot just
+    //     converges to the DB state that initialize() already loaded.
+    //
+    // Requires: options.getRuntime() must resolve by the time the
+    // dispatcher processes its first toggle-set event. The holder-based
+    // wire-up (see FeatureTogglesOptions.getRuntime docstring) guarantees
+    // this in setupTestStack and production boot.
+    r.multiStreamProjection({
+      name: "toggle-cache-sync",
+      delivery: "per-instance",
+      apply: {
+        [FEATURE_TOGGLE_SET_EVENT_NAME]: async (event) => {
+          // The event payload shape is guaranteed by featureToggleSetSchema
+          // (validated on append). Shallow-cast to a typed shape rather
+          // than re-parsing — the payload round-trips through JSON and is
+          // fixed at the source.
+          const payload = event.payload as { featureName: string; enabled: boolean };
+          options.getRuntime().apply(payload.featureName, payload.enabled);
+        },
+      },
+    });
+    return { handlers, queries };
+  });
+}
+export { FEATURE_TOGGLE_SET_EVENT_NAME, FeatureToggleErrors } from "./constants";
+export { globalFeatureStateTable } from "./global-feature-state-table";
+// Re-export the runtime factory + class so app-boot code has a single
+// import path: "@cosmicdrift/kumiko-bundled-features/feature-toggles".
+export {
+  createFeatureToggleRuntime,
+  GlobalFeatureToggleRuntime,
+} from "./toggle-runtime";

package/src/feature-toggles/global-feature-state-table.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import {
+  boolean,
+  instant,
+  integer,
+  table as pgTable,
+  text,
+} from "@cosmicdrift/kumiko-framework/db";
+import { sql } from "drizzle-orm";
+// Global feature-toggle override state. One row per feature that has ever
+// been explicitly flipped by an operator. Missing row = "no override,
+// fall back to the feature's r.toggleable({ default }) value".
+//
+// PK is featureName (text) — not a surrogate UUID — because the feature
+// name IS the identity here. No tenantId: this is a global override that
+// applies across every tenant (per-tenant toggles are intentionally out of
+// scope, see core-feature-toggles.md).
+export const globalFeatureStateTable = pgTable("read_global_feature_state", {
+  featureName: text("feature_name").primaryKey(),
+  enabled: boolean("enabled").notNull(),
+  // Optimistic-lock column. The set-handler reads the existing row, then
+  // updates with `WHERE feature_name = ? AND version = ?`; a 0-row update
+  // means someone else wrote concurrently — the handler retries the fetch.
+  version: integer("version").notNull().default(1),
+  updatedAt: instant("updated_at").default(sql`now()`).notNull(),
+  // UserId (text — SessionUser.id is a uuid string post-ES).
+  updatedBy: text("updated_by"),
+});

package/src/feature-toggles/handlers/list.query.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { globalFeatureStateTable } from "../global-feature-state-table";
+// List every row in the global_feature_state table — i.e. every feature
+// that has ever been explicitly flipped. Features without a row aren't
+// returned; callers must combine this with `registered` to see the full
+// effective state (registered features + their current override, if any).
+export const listQuery = defineQueryHandler({
+  name: "list",
+  schema: z.object({}),
+  access: { roles: ["SystemAdmin", "Admin"] },
+  handler: async (_event, ctx) => {
+    type Row = typeof globalFeatureStateTable.$inferSelect;
+    const rows = (await ctx.db.select().from(globalFeatureStateTable)) as Row[];
+    return {
+      items: rows.map((r) => ({
+        featureName: r.featureName,
+        enabled: r.enabled,
+        version: r.version,
+        updatedAt: r.updatedAt.toString(),
+        updatedBy: r.updatedBy,
+      })),
+    };
+  },
+});

package/src/feature-toggles/handlers/registered.query.ts ADDED Viewed

@@ -0,0 +1,56 @@
+import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { globalFeatureStateTable } from "../global-feature-state-table";
+// Inventory of every registered feature, annotated with toggle metadata
+// and the current effective state. This is the canonical "what's here,
+// what's on, what depends on what" snapshot — the UI for the operator
+// toggle screen binds to it.
+//
+// Design: registry introspection (toggleable/default/requires) + a single
+// DB read of overrides. No per-feature DB calls. Scales to however many
+// features an app registers — currently tens, never thousands.
+export const registeredQuery = defineQueryHandler({
+  name: "registered",
+  schema: z.object({}),
+  access: { roles: ["SystemAdmin", "Admin"] },
+  handler: async (_event, ctx) => {
+    type OverrideRow = Pick<typeof globalFeatureStateTable.$inferSelect, "featureName" | "enabled">;
+    const overrideRows = (await ctx.db
+      .select({
+        featureName: globalFeatureStateTable.featureName,
+        enabled: globalFeatureStateTable.enabled,
+      })
+      .from(globalFeatureStateTable)) as OverrideRow[];
+    const overrides = new Map(overrideRows.map((r) => [r.featureName, r.enabled]));
+    const effective = ctx.effectiveFeatures?.();
+    const items = [];
+    for (const feature of ctx.registry.features.values()) {
+      const toggleable = feature.toggleableDefault !== undefined;
+      const override = overrides.get(feature.name);
+      items.push({
+        name: feature.name,
+        toggleable,
+        // `default` is null when non-toggleable; the UI must render
+        // non-toggleable features as "always on" without an enable/disable
+        // control (flipping them would be rejected by the set-handler).
+        default: feature.toggleableDefault ?? null,
+        // `override` is null when no explicit row exists. That's distinct
+        // from "override says on" or "override says off" so the UI can show
+        // an "inherits default" indicator.
+        override: override ?? null,
+        requires: feature.requires,
+        // Effective = what the dispatcher-gate actually uses right now,
+        // after cascade. When the feature-toggles runtime isn't wired
+        // (dev setup without the feature loaded), we surface null so the
+        // UI knows the runtime isn't available rather than defaulting
+        // to "everything on".
+        effective: effective ? effective.has(feature.name) : null,
+      });
+    }
+    return { items };
+  },
+});

package/src/feature-toggles/handlers/set.write.ts ADDED Viewed

@@ -0,0 +1,158 @@
+import { defineWriteHandler, SYSTEM_TENANT_ID } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  UnprocessableError,
+  VersionConflictError,
+  writeFailure,
+} from "@cosmicdrift/kumiko-framework/errors";
+import { and, eq, sql } from "drizzle-orm";
+import { Temporal } from "temporal-polyfill";
+import { z } from "zod";
+import {
+  FEATURE_TOGGLE_AGGREGATE_TYPE,
+  FEATURE_TOGGLE_SET_EVENT_NAME,
+  FeatureToggleErrors,
+} from "../constants";
+import { globalFeatureStateTable } from "../global-feature-state-table";
+import type { GlobalFeatureToggleRuntime } from "../toggle-runtime";
+// Factory: binds a runtime accessor to the handler at registration time.
+// The runtime holds the in-memory snapshot that the dispatcher's gate
+// reads; every successful set() call must update it, otherwise the flip
+// won't take effect until the next boot.
+//
+// Accessor form (instead of direct runtime ref) supports the bootstrapping
+// flow: tests + setupTestStack construct the feature definition BEFORE the
+// runtime exists (the runtime needs the registry, which setupTestStack
+// builds from the features). The accessor is resolved lazily, at call time.
+export function createSetWriteHandler(getRuntime: () => GlobalFeatureToggleRuntime) {
+  return defineWriteHandler({
+    name: "set",
+    schema: z.object({
+      featureName: z.string().min(1),
+      enabled: z.boolean(),
+    }),
+    // Platform-operator action — SystemAdmin only.
+    access: { roles: ["SystemAdmin"] },
+    handler: async (event, ctx) => {
+      const { featureName, enabled } = event.payload;
+      // Guard 1: featureName must be a registered feature. Otherwise we'd
+      // pile up orphan rows from typos that the gate would silently apply
+      // (if someone ever added a feature with that name later).
+      const feature = ctx.registry.getFeature(featureName);
+      if (!feature) {
+        return writeFailure(
+          new UnprocessableError(FeatureToggleErrors.unknownFeature, {
+            i18nKey: "feature-toggles.errors.unknownFeature",
+            details: { featureName },
+          }),
+        );
+      }
+      // Guard 2: feature must be toggleable. Non-toggleable features (auth,
+      // tenant, user, feature-toggles itself) must stay on — the gate
+      // would ignore any row, but writing one sends the wrong signal to
+      // anyone reading the table.
+      if (feature.toggleableDefault === undefined) {
+        return writeFailure(
+          new UnprocessableError(FeatureToggleErrors.notToggleable, {
+            i18nKey: "feature-toggles.errors.notToggleable",
+            details: { featureName },
+          }),
+        );
+      }
+      // Read current state for event payload + optimistic-lock version.
+      // `$inferSelect` narrows the result shape to the real table schema —
+      // no hand-rolled cast, no drift if a column is added later.
+      type StateRow = typeof globalFeatureStateTable.$inferSelect;
+      const [existing] = (await ctx.db
+        .select()
+        .from(globalFeatureStateTable)
+        .where(eq(globalFeatureStateTable.featureName, featureName))
+        .limit(1)) as StateRow[];
+      const previousEnabled = existing?.enabled ?? null;
+      if (!existing) {
+        // First-time override: insert.
+        await ctx.db.insert(globalFeatureStateTable).values({
+          featureName,
+          enabled,
+          version: 1,
+          updatedBy: event.user.id,
+          updatedAt: Temporal.Now.instant(),
+        });
+      } else {
+        // Upsert with optimistic lock. Two operators flipping the same
+        // toggle simultaneously is rare but possible — the version-WHERE
+        // ensures only one wins; the loser sees VersionConflictError.
+        const updated = await ctx.db
+          .update(globalFeatureStateTable)
+          .set({
+            enabled,
+            version: sql<number>`${globalFeatureStateTable.version} + 1`,
+            updatedBy: event.user.id,
+            updatedAt: Temporal.Now.instant(),
+          })
+          .where(
+            and(
+              eq(globalFeatureStateTable.featureName, featureName),
+              eq(globalFeatureStateTable.version, existing.version),
+            ),
+          )
+          .returning();
+        if (updated.length === 0) {
+          return writeFailure(
+            new VersionConflictError({
+              entityId: featureName,
+              expectedVersion: existing.version,
+              currentVersion: existing.version + 1,
+            }),
+          );
+        }
+      }
+      // Domain event — the event-store IS the toggle-change audit trail.
+      // aggregateId = SYSTEM_TENANT_ID (uuid) because the events table
+      // types aggregate_id as uuid. Per-feature stream isolation would
+      // need synthetic UUIDs from the feature-name, which add nothing
+      // audit-wise; one shared toggle-changes stream per system is fine,
+      // and filtering by payload.featureName is trivial at query time.
+      // This mirrors how `config` handles the same constraint for
+      // its config-changed events.
+      // appendEventUnsafe — bundled-features ohne lokalen Wrapper. Apps
+      // mit `yarn kumiko codegen` kriegen `.kumiko/define.ts` als strict-
+      // path; bundled-features bleibt bei der unsafe-Variante. Schema-
+      // Validation läuft trotzdem via r.defineEvent("toggle-set", ...).
+      await ctx.appendEventUnsafe({
+        aggregateId: SYSTEM_TENANT_ID,
+        aggregateType: FEATURE_TOGGLE_AGGREGATE_TYPE,
+        type: FEATURE_TOGGLE_SET_EVENT_NAME,
+        payload: {
+          featureName,
+          enabled,
+          previousEnabled,
+          updatedBy: event.user.id,
+        },
+      });
+      // Update the local in-memory snapshot. Done AFTER the DB write +
+      // event append so a crash in either leaves the snapshot consistent
+      // with what's persisted. This is the response-latency optimization:
+      // the next request on THIS instance sees the flip without waiting
+      // for a dispatcher tick. Other instances learn the change through
+      // the `toggle-cache-sync` MSP (see feature-toggles-feature.ts). Both
+      // paths are idempotent — Map.set is last-write-wins and the DB is
+      // the source of truth after boot-time initialize().
+      getRuntime().apply(featureName, enabled);
+      return {
+        isSuccess: true,
+        data: { featureName, enabled, previousEnabled },
+      };
+    },
+  });
+}

package/src/feature-toggles/index.ts ADDED Viewed

@@ -0,0 +1,9 @@
+export {
+  createFeatureToggleRuntime,
+  createFeatureTogglesFeature,
+  FEATURE_TOGGLE_SET_EVENT_NAME,
+  FeatureToggleErrors,
+  type FeatureTogglesOptions,
+  GlobalFeatureToggleRuntime,
+  globalFeatureStateTable,
+} from "./feature";

package/src/feature-toggles/toggle-runtime.ts ADDED Viewed

@@ -0,0 +1,73 @@
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import {
+  computeEffectiveFeatures,
+  type Registry,
+  type ToggleReader,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { globalFeatureStateTable } from "./global-feature-state-table";
+// Holds the current global-override snapshot in memory and exposes a
+// synchronous reader — the dispatcher's feature-gate calls it on every
+// handler invocation, so this must not do I/O on the hot path. The
+// snapshot is loaded once at boot via `.initialize()`, refreshed by the
+// set-handler on the local instance, and kept in sync across
+// instances by the `toggle-cache-sync` MSP (declared on the
+// feature-toggles feature, delivery: "per-instance"). Every API/worker
+// process observes every toggle-set event and applies it to its local
+// snapshot — no Redis / SSE / polling needed; the existing events-table
+// + event-dispatcher pipeline handles propagation.
+export class GlobalFeatureToggleRuntime {
+  private snapshot = new Map<string, boolean>();
+  constructor(
+    private readonly db: DbConnection,
+    private readonly registry: Registry,
+  ) {}
+  async initialize(): Promise<void> {
+    const rows = await this.db
+      .select({
+        featureName: globalFeatureStateTable.featureName,
+        enabled: globalFeatureStateTable.enabled,
+      })
+      .from(globalFeatureStateTable);
+    this.snapshot = new Map(rows.map((r) => [r.featureName, r.enabled]));
+  }
+  // Re-read the full snapshot. Called from the set-handler after a
+  // successful write — cheap point-update would be an optimisation but
+  // the table is small (O(features)) and this keeps the cache honest in
+  // the presence of concurrent external writes (seed scripts, ops SQL).
+  async refresh(): Promise<void> {
+    await this.initialize();
+  }
+  // In-memory cache update. Used by the set-handler when a single
+  // featureName transitions — saves a round-trip compared to refresh()
+  // while staying correct because set-handlers serialise via optimistic
+  // lock. Kept alongside refresh() so both options are explicit.
+  apply(featureName: string, enabled: boolean): void {
+    this.snapshot.set(featureName, enabled);
+  }
+  // The callback shape the dispatcher expects. Computes the effective
+  // feature set from the current snapshot + the registry's requires()
+  // cascade every call. Cheap: the cascade is a DFS over O(features);
+  // for the expected sizes (tens of features per app) this is ~µs.
+  effectiveFeatures = (): ReadonlySet<string> => {
+    const reader: ToggleReader = (name) => this.snapshot.get(name);
+    return computeEffectiveFeatures(this.registry, reader);
+  };
+}
+// Factory for app-boot wiring: instantiate, initialize, return both the
+// runtime (for the set-handler to refresh) and the callback (for
+// createDispatcher's effectiveFeatures option).
+export async function createFeatureToggleRuntime(
+  db: DbConnection,
+  registry: Registry,
+): Promise<GlobalFeatureToggleRuntime> {
+  const runtime = new GlobalFeatureToggleRuntime(db, registry);
+  await runtime.initialize();
+  return runtime;
+}

package/src/file-foundation/__tests__/feature.test.ts ADDED Viewed

@@ -0,0 +1,35 @@
+// feature.ts contract tests — pin the public surface of the
+// Plugin-API-shaped file-foundation. Provider-specific configs/secrets
+// are tested in their own provider-feature (file-provider-s3/__tests__).
+import { describe, expect, test } from "vitest";
+import { fileFoundationFeature } from "../feature";
+describe("fileFoundationFeature — shape", () => {
+  test("has the expected name", () => {
+    expect(fileFoundationFeature.name).toBe("file-foundation");
+  });
+  test("declares config as a hard requirement (provider-selector lives there)", () => {
+    expect(fileFoundationFeature.requires).toContain("config");
+  });
+  test("does NOT require secrets — provider-plugins own their own secrets", () => {
+    expect(fileFoundationFeature.requires).not.toContain("secrets");
+  });
+});
+describe("fileFoundationFeature.exports — typed handles", () => {
+  test("exposes only the provider-selector config-key", () => {
+    const keys = fileFoundationFeature.exports.configKeys;
+    expect(keys.provider).toBeDefined();
+    expect((keys as Record<string, unknown>)["bucket"]).toBeUndefined();
+    expect((keys as Record<string, unknown>)["region"]).toBeUndefined();
+  });
+});
+describe("fileFoundationFeature — registers extension-point", () => {
+  test("declares the 'fileProvider' extension-point", () => {
+    expect(fileFoundationFeature.registrarExtensions["fileProvider"]).toBeDefined();
+  });
+});